CVE 8.5 HIGH

Arbitrary file write in Language Servers for AWS_CVE-2026-12958

June 23, 2026 invoker category_cve

8.5 / 10

HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary.

To remediate this issue, users should upgrade to version 1.69.0 or higher.

AI Analysis

Arbitrary file write vulnerability due to missing symlink validation in Language Servers for AWS

Basic Information

ID CVE-2026-12958

Source AMZN

Published Jun 23, 2026 at 16:03

Modified Jun 23, 2026 at 17:56

Affected Product

Vendor Amazon Web Services

Product Language Servers for AWS

Affected Versions Amazon Web Services Language Servers for AWS 0

CWE Classification

CWE-61

AI Assessment

AI Score 8.5 / 10

AI Severity High

Vendor Amazon Web Services

Product Language Servers for AWS

Version < 1.69.0

References

{
    "lastseen": "",
    "description": "Missing symlink validation in Language Servers for AWS may allow an arbitrary file write outside of the workspace trust boundary. This may occur when a local user opens a workspace with a maliciously crafted symlink that resolves to a file path outside the workspace trust boundary.\n\n\n\nTo remediate this issue, users should upgrade to version 1.69.0 or higher.",
    "published": "2026-06-23T16:03:01.746Z",
    "modified": "2026-06-23T17:56:13.812Z",
    "type": "cve",
    "title": "Arbitrary file write in Language Servers for AWS",
    "source": "AMZN",
    "references": "https://aws.amazon.com/security/security-bulletins/2026-047-aws/\nhttps://github.com/aws/language-servers/security/advisories/GHSA-6v3r-4p5c-mrp5",
    "id": "CVE-2026-12958",
    "bulletinFamily": "",
    "cwe": [
        "CWE-61"
    ],
    "cvelist": null,
    "sourceData": "Amazon Web Services Language Servers for AWS 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.5,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Language Servers for AWS",
    "version": "0",
    "vendor": "Amazon Web Services",
    "ai_description": "Arbitrary file write vulnerability due to missing symlink validation in Language Servers for AWS",
    "ai_severity": "High",
    "ai_vendor": "Amazon Web Services",
    "ai_product": "Language Servers for AWS",
    "ai_version": "< 1.69.0",
    "ai_score": 8.5
}

💭 Join the Security Discussion ❌ Cancel Reply